class HTML::WhiteListSanitizer

Parent:: HTML::Sanitizer

Public Instance Methods

sanitize_css(style) Show source

Sanitizes a block of css code. Used by sanitize when it comes across a style attribute

# File actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb, line 119
def sanitize_css(style)
  # disallow urls
  style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')

  # gauntlet
  if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\[\s\w]+\|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
      style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
    return ''
  end

  clean = []
  style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val|
    if allowed_css_properties.include?(prop.downcase)
      clean <<  prop + ': ' + val + ';'
    elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
      unless val.split().any? do |keyword|
        !allowed_css_keywords.include?(keyword) &&
          keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
      end
        clean << prop + ': ' + val + ';'
      end
    end
  end
  clean.join(' ')
end

Protected Instance Methods

contains_bad_protocols?(attr_name, value) Show source

# File actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb, line 183
def contains_bad_protocols?(attr_name, value)
  uri_attributes.include?(attr_name) &&
  (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
end

process_attributes_for(node, options) Show source

# File actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb, line 170
def process_attributes_for(node, options)
  return unless node.attributes
  node.attributes.keys.each do |attr_name|
    value = node.attributes[attr_name].to_s

    if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
      node.attributes.delete(attr_name)
    else
      node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
    end
  end
end

process_node(node, result, options) Show source

# File actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb, line 153
def process_node(node, result, options)
  result << case node
    when HTML::Tag
      if node.closing == :close
        options[:parent].shift
      else
        options[:parent].unshift node.name
      end

      process_attributes_for node, options

      options[:tags].include?(node.name) ? node : nil
    else
      bad_tags.include?(options[:parent].first) ? nil : node.to_s.gsub(/</, "&lt;")
  end
end

tokenize(text, options) Show source

Calls superclass method HTML::Sanitizer#tokenize

# File actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb, line 146
def tokenize(text, options)
  options[:parent] = []
  options[:attributes] ||= allowed_attributes
  options[:tags]       ||= allowed_tags
  super
end